What is yfrog“yfrog is a service run by ImageShack that lets you share your photos on and videos on Twitter.” (yfrog FAQ page)

Twitter affectyfrog can be used to send tweets by uploading new photos, or posting comments on existing photos.yfrog is using OAuth authentication method in order to utilize the Twitter API.

Popularity rateA competitor to TwitPic in the Twitter photo sharing market. Owned and operated by the popular ImageShack photo sharing service provider – 4 twits

Vulnerability: Reflected Cross-Site Scripting in the Upload and Search pages.Status: Patched.Details: The yfrog picture upload page does not encode HTML entities in the “url” variable, which can allow the injection of scripts. Similar vulnerability exists in the “s” variable of the yfrog Search page.This vulnerability could have allowed an attacker to send tweets on behalf of its victims.Proof-of-Concepts: http://yfrog.com/?url=xxx”>%3Cscript%3Ealert%28″xss”%29%3C%2Fscript%3Ehttp://yfrog.com/search.php?s=%3Cscript%3Ealert%28/xss/%29%3C%2Fscript%3EScreenshots:

What is TwitPic“TwitPic lets you share photos on Twitter.” (TwitPic home page)

Twitter affectTwitPic can be used to send tweets by uploading new photos, sending them via email, or posting comments on existing photos.TwitPic is using Username/Password authentication in order to utilize the Twitter API.

Popularity rate Most popular Twitter photo sharing service. Most visited Twitter 3rd party website, according to Compete – 5 twits

Few days before “Month of Twitter Bugs” has started, attackers found Britney Spears’ TwitPic email PIN number by using a brute force attack (which was also fixed by TwitPic).Instead, they could have easily used this CSRF vulnerability in order to tweet the fake death announcement.

2) Cross-Site Request Forgery in the comments form.Status: PatchedDetails: The comments form on each TwitPic picture web page did not use authenticity code in order to validate that the HTTP request POST is coming from the TwitPic web application.This could have been used by an attacker to send comments on behalf of its victims, which could have also tweet the comments in Twitter.

3) Persistent Cross-Site Scripting in the TwitPic profile page.Status: Patched.Details: This vulnerability was first reported to TwitPic on May 18th 2009, and posted on my blog.TwitPic did not encode HTML entities in the information it imported from the Twitter profile, and displayed in the TwitPic profile.Screenshot:

Vendor response rate It took TwitPic only an hour to fix the vulnerabilities. Excellent – 5 twits.

In conclusionTwitPic has a large user base, and I’m happy that they are taking security very seriously. They also take the blame when needed. I’ll keep using TwitPic as my main Twitter photo sharing service.

What is BigTweet“BigTweet was developed by Scott Carter (@scott_carter) as a way to interact more effectively with various networks from the Web. When you click on the BigTweet bookmarklet, a window appears in the middle of your current web page. Use it to post to Twitter or FriendFeed and then return to what you were doing. It doesn’t get any faster.” (BigTweet home page)

Twitter affectBigTweet can be used to send tweets from any web page by using a bookmarklet.BigTweet is using Username/Password authentication in order to utilize the Twitter API.

Popularity rateWhile Bigtweet is not on any of the top Twitter services lists, it has an easy to integrate bookmarklet interface – 1 twit

Vulnerability: Cross-Site Request Forgery in BigTweet upate.json.Status: Patched.Details: The bigtweet update.json web page did not use authenticity code in order to validate that the HTTP post is coming from the bigtweet web application.Screenshots:

Note: While the proof-of-concept in the screenshots used the “xxx” twitter user, the page will actually send a tweet for the currently logged-in user (in the PoC – @avivra). Any bigtweet.com registered user could have been used instead of xxx.

Vendor response rateVulnerability was fully fixed 22 hours after it has been reported. Scott Carter, the developer of BigTweet, is also the one who came up with the idea of having a security best practices document for API developers. Alex Payne from Twitter has written such document last week. Excellent – 5 twits.

What is TwitWall“TwitWall is the easy-to-use, quick-to-blast-out, instant blog companion for Twitter. With TwitWall, you can embed your favorite videos and widgets, upload your photos, mp3 music or podcasts, – you name it..” (TwitWall home page)

Twitter affectTwitWall can be used to send tweets and follow/unfollow other Twitter users.TwitWall is using OAuth authentication token in order to utilize the Twitter API.

Popularity rateThough it’s here since Summer 2008, it has yet to gain enough user base to get into any of the top twitter services lists – 0.5 twits

Vulnerability: Persistent Cross-Site in TwitWall entry view page.Status: Patched.Details: TwitWall allows HTML to be embedded in the wall entries. According to the vendor this was done because “our users with non-malicious intentions enjoy using our html editor”. Unfortunately, the entry view page does not santize scripts and events that came along with the HTML. This vulnerability could have allowed an attacker to send tweets, follow/unfollow others on behalf of its victims.Screenshots:

What is HootSuite“HootSuite is the ultimate Twitter toolbox. With HootSuite, you can manage multiple Twitter profiles, add multiple editors, pre-schedule tweets, and measure your success. HootSuite lets you manage your entire Twitter experience from one easy-to-use interface.” (HootSuite about page)

Twitter affectHootSuite can be used to send tweets, direct messages and follow/unfollow other Twitter users from multiple Twitter accounts.HootSuite is using Username/Password authentication in order to utilize the Twitter API.

Vulnerability: Reflected Cross-Site in the “add-acount” page.Status: Patched.Details: The HootSuite “add-account” page does not encode HTML entities in the “pageMode”variable, which can allow the injection of scripts.This vulnerability could allowed an attacker to send tweets, direct messages and to follow/unfollow others on behalf of its victims.Proof-of-Concept: http://hootsuite.com/twitter/add-account?height=240&width=280&modal=true&pageMode=xxx%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3EScreenshot:

Vendor response rateVulnerability was fixed two hours after it has been reported. Excellent – 5 twits.

What is bit.ly“bit.ly allows users to shorten, share, and track links (URLs). Reducing the URL length makes sharing easier. bit.ly can be accessed through our website, bookmarklets and a robust and open API. bit.ly is also integrated into several popular third-party tools such as Tweetdeck.” (bit.ly about page)

Twitter affectbit.ly can be used to send tweets with the shortened URLs through a form on their website, or a simple GET request.bit.ly is using the OAuth authentication tokens in order to send tweets via the Twitter API.

Vulnerabilities 1) Reflected Cross-Site Scripting in the “url” query parameter.Status: Patched.Details: This vulnerability was first reported by Mario Heiderich on May 18th 2009, on twitter.A week later, I found that this vulnerability got fixed. Unfortunately, after playing with it a bit, I figured that it was only partially fixed. Instead of encoding the HTML entities, bit.ly developers have decided to strip the <> characters. E.g. this proof-of-concept would have popup an alert on IE7:htttp://bit.ly/?url=”%20style=”color:expression(document.body.onload=function()%20{alert(1)})The following is the screenshot of the PoC:

Several days ago, after a long discussion with Mario, bit.ly has finally fully fixed this vulnerability.

3) Reflected POST Cross-Site Scripting in the username field of the login pageStatus: PatchedDetails: This vulnerability was reported by Mario Heiderich. See Mario’s advisory for more details: http://heideri.ch/bit.ly.txtThis vulnerability was fixed by bit.ly yesterday.

4) Persistent Cross-Site Scripting in the content-type field of the URL info pageStatus: *Unpatched*Patched.Details: This vulnerability was submitted by Mike Bailey on June 25th 2009.Whenever a URL of a website gets shortened by bit.ly service, an information page is created for the URL, with statistics and metadata about the website.One of the metadata information being stored by bit.ly is the content-type response header of the shortened URL page. This information of-course can be easily changed.bit.ly fails to encode HTML entities while displaying the content-type information, and therefore allows injection of scripts to the page.Live proof-of-concept can be found here: http://bit.ly/info/JvH83Screenshot of the PoC (just in case the live demo will be removed):

Vendor response rate It took bit.ly a month and a half to fix simple XSS vulnerabilities. Very poor – 0.5 twits.

In conclusionbit.ly has a large user base (who doesn’t click bit.ly links?). However, with such a poor response rate to security vulnerabilities, and with such a poorly coded website, in terms of security, we can only hope for the best. Please be careful clicking those shortened URLs…

[Update – 3 hours into Month of Twitter Bugs] bit.ly have finally fixed the last vulnerability.

Twitter have fixed this issue, by making authentication on the friends timeline mandatory, as is already on other pages with sensitive information.
Giorgio Maone, the creator of NoScript, shows that the JSON weakness can still be demonstrated on the public timeline page. Fortunately, this page is intended for public information.